Legal

EU / UK / CA Privacy Addendum

Supplemental privacy terms for EU, UK, and Canadian users.

Preamble and Applicability

This Jurisdictional Privacy Addendum ("Addendum") supplements the Snap Voyagers Privacy Policy and applies to you if you are an individual located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or the State of California.

This Addendum provides additional disclosures and describes rights granted by the EU General Data Protection Regulation (2016/679) ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").

In the event of a conflict between the main Privacy Policy and this Addendum, the terms of this Addendum shall control for individuals in the covered jurisdictions. For the purposes of the GDPR and UK GDPR, the data controller for personal data processed through the Platform is VTX, LLC, doing business as Snap Voyagers. Our designated contact for data protection matters can be reached at [Data Protection Officer Email].

1. Definitions (EU/UK & California Specific)

Capitalized terms not defined in this Addendum shall have the meaning set forth in our main Privacy Policy or the Snap Voyagers Terms of Service. For the purposes of this Addendum, the following definitions apply:

For the European Union & United Kingdom

  • "Personal Data" means any information relating to an identified or identifiable natural person (a "Data Subject").
  • "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
  • "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, use, disclosure, or erasure.
  • "Controller" means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • "Processor" means an entity that processes Personal Data on behalf of the Controller.

For California

  • "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.
  • "Sensitive Personal Information" is a specific subset of Personal Information that includes, but is not limited to, government identifiers (like a Social Security number), account log-in credentials in combination with a password, precise geolocation, racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s mail, email, and text messages (unless we are the intended recipient), and health information.
  • "Sale" and "Share" have the meanings given in the CCPA. A "Sale" is the disclosure of Personal Information to a third party for monetary or other valuable consideration. A "Share" is the disclosure of Personal Information to a third party for cross-context behavioral advertising.
  • "Business" and "Service Provider" have the meanings given to them in the CCPA.

2. Legal Bases for Processing (EU/UK)

We process your Personal Data under various legal bases as permitted by the GDPR and UK GDPR. The specific basis depends on the context of the processing activities described in our main Privacy Policy. The principal legal bases we rely upon are:

  • To Perform Our Contract with You: A significant portion of our processing is necessary to provide the services you have requested, pursuant to our Terms of Service. This includes creating and managing your account, facilitating Journey bookings and payments, enabling communication between Users, and providing customer support.
  • For Our Legitimate Interests: We process Personal Data for our legitimate business interests, provided these interests are not overridden by your own rights and freedoms. We conduct a balancing test for any processing based on legitimate interests. These interests include:
    • Operating, improving, and personalizing the Platform for our Users.
    • Ensuring the security and integrity of our Platform, including for fraud detection and prevention.
    • Marketing and promoting our services (where consent is not legally required).
    • Analyzing platform usage to understand user behavior and improve our services.
    • Enforcing our Terms of Service and other policies.
  • With Your Consent: Where required by law, we will ask for your consent to process Personal Data for specific purposes. This includes sending you direct marketing communications or processing Special Category Data, such as health information you voluntarily provide in a medical form. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • To Comply with a Legal Obligation: We may process your Personal Data where necessary to comply with our legal and regulatory obligations. This may include tax reporting, responding to lawful requests from law enforcement or other authorities, or fulfilling our financial accounting requirements.
  • To Protect Vital Interests: In rare emergency situations, we may process Personal Data to protect your vital interests or those of another individual, such as sharing medical information with first responders during a Journey.

3. Data Subject Rights (EU/UK)

If you are a resident of the EEA or the UK, you have the following rights in relation to your Personal Data, subject to applicable limitations and exceptions:

  • Right to Rectification: You have the right to request the correction of any inaccurate Personal Data we hold about you and to have any incomplete data completed.
  • Right to Erasure ('Right to be Forgotten'): You have the right to request that we delete your Personal Data. This right is not absolute and may be subject to legal exceptions, such as when processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
  • Right to Restriction of Processing: You have the right to request that we temporarily suspend the processing of your Personal Data in certain situations, for example, while we are verifying its accuracy.
  • Right to Data Portability: Where our processing is based on contract performance or your consent, you have the right to receive the Personal Data you have provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller without hindrance from us.
  • Right to Object: You have the right to object to our processing of your Personal Data when it is based on our legitimate interests. You also have an unconditional right to object at any time to the processing of your Personal Data for direct marketing purposes.
  • Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you. In such cases, you are entitled to obtain human intervention, express your point of view, and contest the decision.

To exercise any of these rights, please contact us at [Data Protection Officer Email]. We will respond to your request within one month, though this period may be extended by two additional months where necessary for complex requests. We will need to verify your identity before processing your request, which may require you to provide additional information.

4. Transfers of Personal Data Outside the EEA/UK

Snap Voyagers is based in the United States, and your Personal Data will be transferred to, stored, and processed in the United States and potentially other countries outside of the EEA and the UK. These countries may not have data protection laws equivalent to those in your jurisdiction.

When we transfer your Personal Data outside the EEA or the UK to a country that has not been deemed to provide an adequate level of data protection by the European Commission or the UK Government, we implement appropriate safeguards to protect your data. Primarily, we rely on the Standard Contractual Clauses ("SCCs") approved by the European Commission, supplemented by the UK's International Data Transfer Addendum where applicable.

These contractual commitments are further supported by our own technical and organizational security measures and, where necessary, by conducting Transfer Impact Assessments to ensure that your Personal Data receives a level of protection that is essentially equivalent to that provided within the EEA and UK. You may request a copy of the relevant SCCs or information about other transfer safeguards by contacting us at [Data Protection Officer Email].

5. Controller / Processor Roles and Data Processing Agreements (EU/UK)

The allocation of data protection responsibilities depends on the specific processing activity.

  • Snap Voyagers as Controller: When you interact directly with the Platform—for example, by creating an account, browsing listings, or receiving marketing communications—Snap Voyagers acts as the Controller of your Personal Data. We determine the purposes and means of processing for our own marketplace operations.
  • Snap Voyagers as Processor: When we process Personal Data on behalf of a Group Leader to facilitate the operation of their Journey, we act as a Processor. For example, we process traveler booking information on the Group Leader's instructions. In this context, the Group Leader is the Controller. Our processing activities are governed by a Data Processing Agreement ("DPA") with the Group Leader, which incorporates the requirements of Article 28 of the GDPR.

We engage third-party service providers ("subprocessors") to support our Platform, such as for payment processing and cloud hosting. We maintain contractual agreements with these subprocessors that include data protection obligations consistent with our own. A list of our key subprocessors is available to Group Leaders upon request as part of our DPA.

6. Automated Decision‑Making and Profiling (EU/UK)

We use automated systems to profile Users to personalize and improve your experience on the Platform. This includes suggesting Journeys you may be interested in based on your browsing history, saved items, or stated preferences. We may also use profiling to rank search results. This processing is based on our legitimate interests and does not produce legal or similarly significant effects on you.

In limited circumstances, such as for fraud detection or security monitoring, we may use automated systems to make decisions that could have a significant effect, such as temporarily or permanently suspending an account. Where such a decision is made, you have the right to obtain human intervention, express your point of view, and contest the decision. If you wish to exercise these rights, please contact us at [Data Protection Officer Email].

7. Retention, Minimisation and Security (EU/UK & California)

We are committed to the principles of data minimisation, retaining Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Our retention periods vary depending on the type of data and the reason for its processing. For example, account information is generally retained for the duration of your account's existence and for a reasonable period thereafter to allow for the exercise or defense of legal claims. Transactional data may be retained for longer periods to comply with tax and financial laws.

We have implemented appropriate technical and organizational security measures designed to protect your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. These measures include encryption, access controls, and regular security assessments. More information on our data retention and security practices can be found in our main Privacy Policy.

8. California Privacy Rights (CCPA/CPRA) — Scope and Definitions

This section applies to you if you are a resident of California. It describes your rights and explains how to exercise those rights under the California Consumer Privacy Act (CCPA).

For the purposes of the CCPA, Snap Voyagers (VTX, LLC) generally acts as a "Business" when we collect and process your Personal Information to operate the Platform and provide our services directly to you. When we process Personal Information on behalf of a Group Leader to facilitate a Journey they operate, we may act as a "Service Provider" to that Group Leader. Our obligations in that role are governed by our agreements with the Group Leader.

As defined by the CCPA, a "Sale" of Personal Information is a disclosure to a third party for monetary or other valuable consideration. A "Share" is a disclosure to a third party for cross-context behavioral advertising. We do not "Sell" your Personal Information in the traditional sense. However, our use of certain third-party advertising and analytics cookies may be considered a "Share" under the CCPA. You can opt out of this activity as described below.

We may collect certain categories of "Sensitive Personal Information", including:

  • Account log-in credentials in combination with a password.
  • Precise geolocation data, if you grant permission.
  • Information concerning your health, if you voluntarily provide it in a medical form for a Journey.

We do not use or disclose your Sensitive Personal Information for purposes other than those specified in the CCPA regulations, such as to provide the services you requested or as otherwise permitted by law.

9. California Consumer Rights and Exercise Mechanisms

As a California resident, you have the following rights regarding your Personal Information, subject to certain exceptions:

  • The Right to Know: You have the right to request that we disclose to you the Personal Information we collect, use, disclose, sell, or share. This includes the right to request the specific pieces of Personal Information we have collected about you.
  • The Right to Delete: You have the right to request that we delete Personal Information that we have collected from you.
  • The Right to Correct: You have the right to request that we correct inaccurate Personal Information that we maintain about you.
  • The Right to Opt-Out of Sale or Sharing: You have the right to direct us not to "Sell" or "Share" your Personal Information. You can exercise this right through the "Do Not Sell or Share My Personal Information" link in the footer of our website.
  • The Right to Limit Use and Disclosure of Sensitive Personal Information: You have the right to limit our use and disclosure of your Sensitive Personal Information to purposes that are necessary to perform the services you requested. As stated above, we already limit our use of such information to these permitted purposes.
  • The Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us for the exercise of any of your privacy rights.

To exercise your rights to know, delete, or correct, please submit a verifiable consumer request to us by either:

  • Emailing us at [Privacy Rights Email Address]; or
  • Submitting a request through our online portal at [Privacy Rights Webform Link].

Only you, or a person you have authorized to act on your behalf, may make a verifiable consumer request. We will need to verify your identity before processing your request. The verification process may require you to provide two or three pieces of Personal Information that we can match against our records. We will respond to a verifiable consumer request within 45 days of its receipt, though this period may be extended by another 45 days where necessary.

10. Do Not Sell or Share/Opt-Out Mechanisms and Global Opt-Out Signals

You can exercise your right to opt-out of the "Sharing" of your Personal Information for cross-context behavioral advertising by clicking the "Do Not Sell or Share My Personal Information" link in the footer of our website. This will allow you to manage your cookie preferences and disable advertising and analytics cookies that may constitute a "Share" under the CCPA.

In addition, our Platform recognizes the Global Privacy Control ("GPC") signal. If we detect that your browser is broadcasting a GPC signal, we will automatically treat it as a valid request to opt-out of the "Sharing" of your Personal Information for the browser from which the signal is sent.

When you submit an opt-out request, we take steps to propagate that request to the relevant third-party advertising and analytics vendors with whom we have a direct relationship, instructing them not to "Sell" or "Share" your Personal Information. You may request a list of the categories of third-party vendors to whom we disclose Personal Information by contacting us at [Privacy Rights Email Address].

11. Service Provider and Contractual Limitations (California & EU/UK intersection)

When Snap Voyagers acts as a "Service Provider" (under the CCPA) or a "Processor" (under the GDPR/UK GDPR) on behalf of our Group Leaders, our processing of Personal Information is governed by contractual agreements. These agreements, often in the form of a Data Processing Addendum ("DPA"), require us to:

  • Process Personal Information only for the limited and specified business purposes as instructed by the Group Leader (the "Business" or "Controller").
  • Refrain from retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the services specified in our contract.
  • Assist the Group Leader, upon their request, in responding to consumer or data subject rights requests.

These contractual limitations ensure that when we are handling data on behalf of our business customers, we do so in a manner consistent with applicable privacy laws. Group Leaders may obtain our DPA template by contacting [Group Leader Support Email].

12. Kids, Age Restrictions and Special Category Data

The Snap Voyagers Platform is not intended for or directed at children. You must be at least 18 years of age or the age of majority in your jurisdiction to create an account and use our services. We do not knowingly collect Personal Information from individuals under the age of 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it.

We also recognize that certain information you provide may be considered "Special Category Data" (under GDPR/UK GDPR) or "Sensitive Personal Information" (under CCPA), such as health information disclosed in a medical form for a Journey. We process this data only where necessary for the services and with your explicit consent. It is the responsibility of the Group Leader, as the operator of the Journey, to obtain legally sufficient consent for the collection and use of such data through appropriate forms, which we may help facilitate as an administrative convenience.

13. Data Breach Notification and Cooperation with Supervisory Authorities

In the event of a Personal Data breach, we have procedures in place to assess the risk to individuals' rights and freedoms and to comply with our notification obligations under applicable law.

If a breach affecting EEA or UK residents is likely to result in a high risk to individuals, we will notify the affected individuals without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If a breach affects California residents, we will provide notification in accordance with California law.

When we act as a Processor for a Group Leader, we will notify the Group Leader (the Controller) of any data breach without undue delay. We are committed to cooperating with supervisory authorities and providing them with required information in the event of an inquiry or investigation.

14. Exercising Rights; Contact Information; EU/UK Representative (if applicable)

To exercise any of the rights described in this Addendum, please contact our Data Protection team using the designated methods outlined in our main Privacy Policy or by emailing [Privacy Rights Email Address].

Our designated Data Protection Officer can be reached at [Data Protection Officer Email].

If you are a California resident, your authorized agent may make a request on your behalf. We will require the agent to provide proof of your written permission to make the request and may also need to verify your identity directly.

If we are required to appoint a representative in the EU or the UK under the GDPR or UK GDPR, their contact details will be provided in this section.

15. Dispute Resolution; Supervisory Authority Contact Details

While we hope to resolve any concerns you have directly, you have the right to lodge a complaint with a competent data protection supervisory authority.

  • For the UK: You can contact the Information Commissioner's Office (ICO).
  • For the EEA: You can contact the data protection authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of authorities is available from the European Data Protection Board.
  • For California: You can file a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General's office.

The dispute resolution provisions, including the arbitration clause, in our Terms of Service do not prevent you from exercising your right to file a complaint with a supervisory authority.

16. Amendments, Effective Date and Versioning

This Addendum is effective as of [EFFECTIVE DATE]. We may amend this Addendum from time to time to reflect changes in the law or our data processing practices.

We will provide notice of any material changes through the Platform or by email, in accordance with the notification provisions in our main Privacy Policy and Terms of Service. The "Last Updated" date at the top of this document indicates when it was last revised. We encourage you to review this Addendum periodically to stay informed.

17. Recordkeeping, Audit Rights and Cooperation (Business-to-Business/Operator Obligations)

We maintain records of consumer and data subject rights requests as required by the CCPA and GDPR.

When we act as a Processor or Service Provider for our Group Leaders, we are obligated to cooperate with them to help them meet their own compliance obligations. This includes assisting with data subject requests and providing information necessary to demonstrate compliance with Article 28 of the GDPR. Any rights to audit our processing activities are governed by the terms of our Data Processing Agreement (DPA) with the Group Leader.

Group Leaders, as Controllers or Businesses, are responsible for their own compliance with applicable privacy laws and must ensure their use of the Platform and handling of User data complies with this Addendum and all relevant regulations.

Acknowledged and Adopted by VTX, LLC: ________________________________________ Name: [Name of Approver] Title: [Title of Approver] Date:_________________________